Presentation is loading. Please wait.

Presentation is loading. Please wait.

Active Worm and Its Defense1 CSE651: Network Security.

Similar presentations


Presentation on theme: "Active Worm and Its Defense1 CSE651: Network Security."— Presentation transcript:

1 Active Worm and Its Defense1 CSE651: Network Security

2 Active Worm and Its Defense2 Worm vs. Virus r Worm m A program that propagates itself over a network, reproducing itself as it goes r Virus m A program that searches out other programs and infects them by embedding a copy of itself in them

3 Active Worm and Its Defense3 Active Worm VS [D]DoS r DDoS stands for Distributed Denial of Service attacks r Propagation method r Goal: congestion, resource appropriation r Rate of distribution r Scope of infection

4 Active Worm and Its Defense4 History http://snowplow.org/tom/worm/history.html r Morris Worm, first worm ”virus”, released on November 2, 1988 by Robert Tappan Morris who was then a 23 year old doctoral student at Cornell University r Code-Red worm in July 2001 infected more than 350,000 Microsoft IIS servers. The attack finished in 14 hours r Slammer worm in January 2003 that infected nearly 75,000 Microsoft SQL servers. Attack finished in less than one hour r MyDoom worm in February 2004 infected lots of hosts which automatically and successfully DDoS attacked a few popular websites

5 Active Worm and Its Defense5 The Morris Worm of 1988 r First “worm” program m Released by Robert T Morris of Cornell University m Affected DEC’s VAX and Sun Microsystems’s Sun 3 systems r Spread m ~6000 victims i.e., 5-10% of hosts at that time m more machines disconnected from the net to avoid infection r Cost m Some estimate: $98 million m Other reports: <$1 million r Triggered the creation of CERT (Computer Emergency Response Team)

6 Active Worm and Its Defense6 Recent Worms r July 13, 2001, Code Red V1 r July 19, 2001, Code Red V2 r Aug. 04, 2001,Code Red II r Sep. 18, 2001, Nimbda r … r Jan. 25, 2003,SQL Slammer r More recent m SoBigF, MSBlast …

7 Active Worm and Its Defense7 How an Active Worm Spreads r Autonomous r No need of human interaction infected machine scan probe transfer copy

8 Active Worm and Its Defense8 Basic Propagation Method r Network Worm: Using port scan to find vulnerabilities of the targets r Application Worm: Propagate through email, Instance Messaging, file sharing on operation systems, P2P file sharing systems, or other applications r Hybrid Worm

9 Active Worm and Its Defense9 Delivery Method How is worm code is delivered to vulnerable hosts r Self-contained Self-propagation: Each newly infected host becomes the new source and sends worm code to other hosts infected by it r Embedded: Embedded with infected files, such as emails, shared files r Second Channel: The newly infected host uses second channel such as TFTP (Trivial File Transfer Protocol) to download the worm code from a center source

10 Active Worm and Its Defense10 Scanning Strategy (1) r Random scanning m Probes random addresses in the IP address space (CRv2) r Selective random scanning m A set of addresses that more likely belong to existing machines can be selected as the target address space. r Hitlist scanning m Probes addresses from an externally supplied list r Topological scanning m Uses information on the compromised host (Email worms) r Local subnet scanning m Preferentially scans targets that reside on the same subnet. (Code Red II & Nimbda Worm)

11 Active Worm and Its Defense11 Scanning Strategy (2) r Routable scanning m Choose routable IP addresses as the target of scan r DNS scanning m Choose hosts with DNS name as the target of scan r Permutation scanning m Each new infected host gets a different IP addresses block

12 Active Worm and Its Defense12 Synchronization between Infected Hosts (or Worm Instances) r Asynchronized m Each infected host behavior individually without synchronization with other infected hosts r Synchronized m Infected hosts synchronized with each other by central server etc.

13 Active Worm and Its Defense13 Propagation Activity Control r Non-stopping m Keep port scanning and never stop r Time Control m Preset stopping timer and restart timer and use those timers to control the port scan activities r Self-Adjustment m Self-control according to the environment (Atak worm) or the estimation of the infected host amount (Self- Stop worm) r Centralized Control m Controlled by the attacker

14 Active Worm and Its Defense14 Scan Rate r Constant Scan Rate m Each infected host keeps a constant scan rate which is limited by the computation ability and outgoing bandwidth of the host. r Random Varying Scan Rate m Randomly change the scan rate. r Smart Varying Scan Rate m Change the scan rate smartly according to certain rule according to the attack policy and the environment. r Controlled Varying Scan Rate m Change the scan rate according to the attacker’s control command.

15 Active Worm and Its Defense15 Modularity r Non-Modular r Modular m Use modular design in the worm code, so that new attack modules can be sent to the infected hosts and plugged in after the infection.

16 Active Worm and Its Defense16 Organization r Decentralized m There is no organization or cooperation among infected hosts, and there is no communication between the infected hosts and the attacker. r Centralized Organization m Organized by Internet Relay Chat (IRC) or other methods like botnets do, so that the attacker can control the infected hosts.

17 Active Worm and Its Defense17 Payload with the worm code r Spamming m Code competent to carry out spamming. r DDoS Attack m Code competent to carry out DDoS attacks. r Sniffing m Code competent to watch for interesting clear-text data passing by the infected hosts. r Spyware m Spyware code. r Keylogging m Code competent to remember and retrieve the passwords on the infected hosts. r Data Theft m Code competent to steal privacy data.

18 Active Worm and Its Defense18 Techniques for Exploiting Vulnerability r fingerd (buffer overflow) r sendmail (bug in the “debug mode”) r rsh/rexec (guess weak passwords)

19 Active Worm and Its Defense19 Active Worm Defense r Modeling r Infection Mitigation

20 Active Worm and Its Defense20 Worm Behavior Modeling (1) r Propagation model V is the total number of vulnerable nodes N is the size of address space i(t) is the percentage of infected nodes among V r is the scan rate of the worm

21 Active Worm and Its Defense21 Worm Behavior Modeling (2) r Propagation model M(i): the number of overall infected hosts at time i N(i): the number of un-infected vulnerable hosts at time i E(i): the number of newly infected hosts from time tick i to time i+1. T: the total number of IP addresses, i.e., 2 32 for IPv4. N(0): the number of vulnerable hosts on the Internet before the worm attack starts. E(0) = 0, M(0) = M 0.

22 Active Worm and Its Defense22 Modeling P2P-based Active Worm Attacks r Basic worm attack strategies m Pure Random-based Scan (PRS) Randomly select the attack victim Adopted by Code-Red-I and Slammer r P2P based attack strategies m Offline P2P-based Hit-list Scan (OPHLS) m Online P2P-based Scan (OPS) m Both strategies exploit P2P system features

23 Active Worm and Its Defense23 Background: P2P Systems r Host-based overlay system r Structured and unstructured r Rich connectivity r Very popular – 3,467,860 users in the FastTrack P2P system; – 1,420,399 users in the eDonkey P2P system; – 1,155,953 users in the iMesh P2P system; – 103,466 users in the Gnutella P2P system.

24 Active Worm and Its Defense24 Two P2P-based Worm Attack Strategies r Offline P2P-based Hit-list Scan (OPHLS) m Offline collect P2P host addresses as a hit-list m Attack the hit-list first m Attack Internet via PRS r Online P2P-based Scan (OPS) m Use runtime P2P neighbor information m Attack P2P neighbors m Extra attack resource applied to attack Internet via PRS

25 Active Worm and Its Defense25 Online-based P2P Worm Attack Strategy

26 Active Worm and Its Defense26 Performance Comparison of Attack Strategies The P2P-based attack strategies overall outperforms the PRS attack strategy OPHLS attack strategy achieves the best performance compared to all other online-based attack strategies

27 Active Worm and Its Defense27 Sensitivity of Attack to P2P System Size With the P2P size increases, the attack performance becomes consistently better for all attack strategies

28 Active Worm and Its Defense28 Detection r Host-based detection r Network-based detection m Detecting large scale worm propagation m Global distributed traffic monitoring framework m Distributed monitors and data center m Worm port scanning and background port scanning

29 Active Worm and Its Defense29 Distributed Worm Monitoring Systems

30 Active Worm and Its Defense30 Detection Schemes r Worm behavior m Pure random scan m Each worm instance takes part in attack all the time m Constant scan rate m Overall port scanning traffic volume implies the number of worm instances (infected hosts). m Total number of worm instances and overall port scanning traffic volume increase exponentially during worm propagation. r Count-based and trend-based detection schemes

31 Active Worm and Its Defense31 Infection Mitigation r Patching r Filtering/intrusion detection (signature based) m DAW (Distributed Anti-Worm Architecture) r TCP/IP stack reimplementation, bound connection requests

32 Active Worm and Its Defense32 Goals of DAW r Impede worm progress, allow human intervention r Detect worm-infected clients r Ensure congestion issues minimized – little routing performance impact r Shigang Chen and Yong Tang. Slowing down internet worms. In Proceedings of 24th International Conference on Distributed Computing Systems, March 2004.

33 Active Worm and Its Defense33 DAW r Requirements m Distributed, sensors act independently m NIDS (rather than HIDS) m Limited responsibility, ensures availability of nodes

34 Active Worm and Its Defense34 DAW

35 Active Worm and Its Defense35 Active Worm Detection in DAW r User behavior m Few failed connections (DNS) m Predictable traffic generation throughout “day” m Relatively uniform intranet traffic distribution r Worm behavior m Sampling shows 99.96% failure in scan rate m Spikes in failure:request ratio m Traffic pattern disproportionately favors infected clients

36 Active Worm and Its Defense36 Active Worm -Failures r TCP only, random scanning r ICMP Unreachable/TCP-RST response r 99.96% failure  80/tcp

37 Active Worm and Its Defense37 Summary r Worms can spread quickly: m 359,000 hosts in < 14 hours r Home / small business hosts play significant role in global internet health m No system administrator  slow response m Can’t estimate infected machines by # of unique IP addresses DHCP effect appears to be real and significant r Active Worm Defense m Modeling m Infection Mitigation


Download ppt "Active Worm and Its Defense1 CSE651: Network Security."

Similar presentations


Ads by Google